Cyber Security in Healthcare
August 2018
Vanderbilt University Medical Center (VUMC) recently issued a warning to its staff about email spoofing and phishing attacks. Its cyber security unit detected phishing emails being sent using stolen or falsified names of employees to lure their colleagues into unknowingly engaging in fraudulent financial activity. It’s become almost a daily occurrence for someone at Vanderbilt to receive a phishing email. “The email usually comes from a phony email address that may only be one or two characters different from the real account, or it can come from a real account that has already been compromised,” their statement said. VUMC noted that since 2016 the volume of phishing emails has increased in the top five targeted industries—including healthcare—by about a third. Their cyber security unit offered some best practices for helping to identify an email phishing attempt:
- Never give out your personal information—to anyone.
- Check embedded links and hovering over the link to see the URL—but don’t click on it. In fact, never click on any links or open any attachments that you are not expecting to receive.
- Verify the display name of the sender to make sure you recognize it.
- Check the body of the message to see if it contains mistakes or strange language, threatening or urgent language, as well as check the signature of the message—most professional emails will have a signature line.
- If you receive an email from someone you know that seems unusual, give them a call to verify they sent it to you before opening it.
“Often, simply looking at the sender’s email address can help you quickly determine if an email is fraudulent,” according to VUMC. “A phish is made to look like a legitimate email, be it from a friend, a business or even an organization.”
SamSam ransomware also targets healthcare, and has netted its creator $6 million so far. Victims include Indiana-based Hancock Health Hospital, Adams Memorial Hospital, and cloud-based Electronic Health Records (EHR) provider All scripts. According to McAfee,healthcare saw a 47 percent jump in cyber attacks in the first quarter of 2018 compared with the fourth quarter of 2017, and was the most targeted sector in terms of the number of breaches in 2017–2018.
The problem is so pervasive, that the Department of Health and Human Services issued a Top 10 Tips for Cyber security in Healthcare:
- Establish a Security Culture The weakest link in any computer system is the user. Protecting patients through good information security practices should be as second nature to the healthcare organization as sanitary practices.
- Protect Mobile Devices Where it is absolutely necessary to commit electronic health information to a mobile device, cyber security experts recommend that the data be encrypted. Mobile devices that cannot support encryption should not be used. If it is absolutely necessary to take a laptop containing electronic health information out of a secure area, you should protect the information on the laptop’s hard drive through encryption.
- Maintain Good Computer Habits IT systems, including EHR systems, must be properly maintained so that they will continue to function properly and reliably.
- Use a Firewall Unless an EHR system is used that is totally disconnected from the Internet, it should have a firewall to protect against intrusions and threats from outside sources. While anti-virus software will help to find and destroy malicious software that has already entered, a firewall’s job is to prevent intruders from entering in the first place. The anti-virus can be thought of as infection control while the firewall has the role of disease prevention.
- Install and Maintain Anti-Virus Software It is important to use a product that provides continuously updated protection.
- Plan for the Unexpected Sooner or later, the unexpected will happen. Fire, flood, hurricane,earthquake, and other natural or man made disasters can strike at any time.Important healthcare records and other vital assets must be protected against loss from these events. There are two key parts to this practice: creating backups and having a sound recovery plan.
- Control Access to Protected Health Information Identify which files should be accessible to which staff members, and set permissions accordingly.
- Use Strong Passwords and Change Them Regularly Although a strong password will not prevent attackers from trying to gain access, it can slow them down and discourage them. In addition, strong passwords, combined with effective access controls, help to prevent casual misuse (e.g., staff members pursuing their personal curiosity about a case even though they have no legitimate need for the information).
- Limit Network Access Wireless routers must be set up to operate only in encrypted mode. Devices brought into the practice by visitors should not be permitted access to the network, since it is unlikely that such devices can be fully vetted for security on short notice.
- Control Physical Access It is important to limit the chances that a device may be tampered with, lost, or stolen. Policies should include limiting physical access, e.g., securing machines in locked rooms, managing physical keys, and restricting the ability to remove devices from a secure area.
For further information:
“EmailPhishing,” Vanderbilt University
https://it.vanderbilt.edu/services/messaging/Phishing.php.
“SamSam:The (Almost) Six Million Dollar Ransomware,” SOPHOS
“Top10 Tips for Cybersecurity in Health Care,” HHS ONC
https://www.healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf.